SSD timing attack lets websites infer what else you’re doing

A new browser side channel widens the web’s already expansive surveillance toolkit

Researchers have demonstrated a technique that allows websites to infer other sites a visitor is viewing and which applications are open on the device by analyzing subtle solid-state drive activity from within the browser. The method, called FROST, works by measuring storage timing through JavaScript and the browser’s origin private file system, or OPFS.

The result is notable not because it steals data in the conventional sense, but because it turns ordinary hardware behavior into a privacy leak. According to the supplied report, a visitor need do nothing beyond opening the hostile site. From there, the browser-based code can observe contention in SSD input-output activity and use those measurements to infer information about what else is happening on the machine.

Why FROST stands out

Web tracking is already a mature arms race involving cookies, fingerprinting, session replay, and increasingly creative side channels. FROST matters because it shows how the browser’s expanding capabilities can create new surveillance surfaces even when direct access to other apps or tabs is blocked by sandboxing rules.

The attack is described as a contention side channel. In simple terms, it watches how multiple processes compete for a shared resource, in this case SSD I/O, and derives clues from the time certain operations take to complete. The researchers reportedly showed they could determine websites open in other tabs, even in other browsers, as well as applications running on the device.

That is a powerful reminder that privacy boundaries are not defined only by permissions dialogs and same-origin policies. They are also shaped by indirect physical signals, such as timing, cache behavior, and shared hardware bottlenecks. As browsers become platforms for office suites, editors, and development tools, the consequences of these indirect leaks can grow.

The browser is now a much bigger attack surface

The supplied report quotes the researchers’ broader point: web browsers have evolved from simple document viewers into complex application environments. That evolution has obvious benefits. It enables richer productivity tools and more capable web apps. But it also expands the number of features that can be misused.

OPFS is one example. It gives sites reserved storage space to support advanced functionality. In normal use, that helps modern applications perform better. In adversarial use, the report suggests, it can provide a mechanism for measuring SSD activity patterns from within a webpage using JavaScript alone.

This is what makes FROST especially concerning from a policy and security perspective. It does not require installing malware, exploiting a browser memory corruption bug, or persuading the user to grant unusual permissions. If the technique is practical at scale, it turns an ordinary website visit into a potential behavioral sensor.

What happens next

Whether FROST becomes a widespread threat will depend on several factors, including how noisy the measurements are across different systems, how easily browser vendors can blunt the timing signal, and whether real-world attackers can convert the technique into reliable profiling or surveillance. The report notes that prior SSD contention attacks existed, but FROST is distinct because it runs exclusively in the browser.

That browser-only nature raises the pressure on browser makers and standards groups. Defenses might involve changing access patterns, degrading measurement precision, restricting APIs, or otherwise reducing the ability of sites to observe storage contention cleanly. Each mitigation comes with tradeoffs, because some of the same capabilities also support legitimate web applications.

For users, the immediate lesson is uncomfortable but familiar: the modern browser is one of the most exposed pieces of consumer software. It is expected to be secure enough for banking, expressive enough for professional work, and permissive enough to run increasingly sophisticated code from unknown websites. Those demands are often in tension.

FROST does not mean every site can suddenly read a user’s secrets. It does mean that the web privacy model continues to be vulnerable to indirect leaks that arise from system design rather than explicit data sharing. In a landscape where tracking techniques keep mutating, that is enough to make this research consequential.

The broader implication is straightforward. As browsers absorb more computing functions, defending user privacy will require not just blocking obvious access, but anticipating the side effects of running many powerful applications atop shared hardware. FROST is another sign that those side effects are becoming harder to ignore.

This article is based on reporting by Ars Technica. Read the original article.